{ config, pkgs, lib, inputs, modulesPath, microvm, ... }: let cfg = config.services.micro_vm; in { options.services.micro_vm = { enable = lib.mkEnableOption "Enable NixOS microvm config"; hostname = lib.mkOption { type = lib.types.str; description = "The VM hostname"; }; vm_ip = lib.mkOption { type = lib.types.str; description = "The VM IP address"; }; macAddr = lib.mkOption { type = lib.types.str; description = "The VM MAC Address"; }; vm_mem = lib.mkOption { type = lib.types.int; description = "The VM memory count"; default = 0; }; vm_cpu = lib.mkOption { type = lib.types.int; description = "The VM CPU count"; default = 1; }; }; config = lib.mkIf cfg.enable { microvm = { vcpu = cfg.vm_cpu; balloonMem = cfg.vm_mem; volumes = [ { mountPoint = "/var"; image = "/var/lib/microvms/${cfg.hostname}/var.img"; size = 8192; } ]; shares = [ { proto = "virtiofs"; tag = "ro-store"; source = "/nix/store"; mountPoint = "/nix/.ro-store"; } { proto = "virtiofs"; tag = "${cfg.hostname}-env"; source = "/var/lib/microvms/${cfg.hostname}/env"; mountPoint = "/run/secrets/${cfg.hostname}"; } ]; interfaces = [ { type = "tap"; id = "vm-${cfg.hostname}"; mac = "${cfg.macAddr}"; } ]; hypervisor = "qemu"; socket = "control.socket"; }; systemd.network.enable = true; systemd.network.networks."20-lan" = { matchConfig.Type = "ether"; networkConfig = { Address = ["${cfg.vm_ip}/24"]; Gateway = "192.168.1.254"; DNS = ["192.168.1.254"]; IPv6AcceptRA = true; DHCP = "no"; }; }; nix = { settings.experimental-features = [ "nix-command" "flakes" ]; settings.trusted-users = [ "root" "@wheel" ]; }; networking = { firewall = { enable = true; allowedTCPPorts = [ 22 9002 ]; }; }; time.timeZone = "Europe/Paris"; console.keyMap = "fr"; i18n.defaultLocale = "fr_FR.UTF-8"; environment.sessionVariables = rec { TERM = "xterm-256color"; }; nix.gc = { automatic = true; dates = "daily"; options = "--delete-old"; }; security.sudo.wheelNeedsPassword = false; users = { users.tbarnouin = { isNormalUser = true; extraGroups = [ "wheel" ]; shell = pkgs.zsh; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICf1B0nxNMvPWSR9pStdtx2x6Iw+JUeCCt1CKWoD8dsr" ]; }; users.root = { openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos" ]; }; }; programs = { zsh = { enable = true; shellAliases = { ll = "ls -l"; lla = "ls -lah"; }; ohMyZsh = { enable = true; plugins = [ "git" ]; theme = "bira"; }; }; tmux = { enable = true; }; }; nixpkgs.config.allowUnfree = true; environment = { localBinInPath = true; systemPackages = with pkgs; [ vim bash wget curl git htop tree dig ncdu nmap iperf3 netcat-openbsd ]; }; services = { openssh = { enable = true; settings.PasswordAuthentication = false; settings.KbdInteractiveAuthentication = false; settings.PermitRootLogin = "prohibit-password"; hostKeys = [ { path = "/etc/ssh/ssh_host_ed25519_key"; type = "ed25519"; } ]; }; fail2ban = { enable = true; }; rsyslogd = { enable = true; extraConfig = "*.*@192.168.1.27:514;RSYSLOG_SyslogProtocol23Format"; }; prometheus = { exporters = { node = { enable = true; enabledCollectors = [ "systemd" ]; port = 9002; }; }; }; }; system = { stateVersion = "24.11"; activationScripts.ensure-ssh-key-dir.text = "mkdir -p /etc/ssh"; }; }; }